#!/usr/bin/perl -w

use strict;
use Data::Dumper;
use DateTime;
use DateTime::Format::DateParse;
use Net::DNS;
use Net::Abuse::Utils qw(:all);
use Regexp::Common qw/net/;

use CIF::Message::Domain;
use CIF::Message::Inet;
use CIF::Message::Infrastructure;
use CIF::Message::Malware;

my $partner = 'malwaredomains.com';
my $timeout = 5;
my $res = Net::DNS::Resolver->new(
    nameservers => ['8.8.8.8']
);
open(F,'/tmp/domains.txt');

my $x = 0;
while(<F>){
    next if(/^#/);
    $_ =~ s/^[ \t]+|[ \t]+$//;
    my ($domain,$type,$orig_ref,$date) = split(/[ \t]+/,$_);
    #next unless($orig_ref =~ /md5/);
    
    $type = 'unknown' if($type eq 'malware' || $type eq 'threat');

    my @rdata = CIF::Message::Domain::getrdata($res,$domain);

    $date = eval { DateTime::Format::DateParse->parse_datetime($date) };
   
    my $uuid; 
    if($orig_ref =~ /md5\=([0-9a-fA-F]{32})$/){
        my $hash_md5 = $1;
        $uuid = CIF::Message::Malware->insert({
            description => 'malware '.$type.' - '.$hash_md5,
            source      => $partner,
            hash_md5    => $hash_md5,
            impact      => 'malware '.$type,
            restriction => 'need-to-know',
            severity    => 'medium',
            confidence  => 5,
            alternativeid  => 'http://www.malwaredomains.com/files/domains.txt',
            alternativeid_restriction => 'public',
            detecttime  => $date,
       });
       $uuid = $uuid->uuid();
    }

    foreach my $rr (@rdata){
        my ($as,$as_desc,$network,$ccode,$rir,$dt);
        my $address = $rr->{'address'};
        if($address && $address =~ /^$RE{net}{IPv4}/){
            ($as,$network,$ccode,$rir,$dt) = get_asn_info($address);
            $as_desc = get_as_description($as) if($as);

            $as         = undef if($as && $as eq 'NA');
            $network    = undef if($network && $network eq 'NA');
            $ccode      = undef if($ccode && $ccode eq 'NA');
            $rir        = undef if($rir && $rir eq 'NA');
            $dt         = undef if($date && $date eq 'NA');
            $as_desc    = undef if($as_desc && $as_desc eq 'NA');
        }
   
        my $impact = 'malicious domain';
        my $description = 'malicious domain '.$type.' - '.$domain;
        my $t = $rr->{'type'};
        my $severity = ($t eq 'NS') ? 'low' : 'medium';
        my $ddd = $domain;
        if($rr->{'nameserver'}){
            $ddd = $rr->{'nameserver'};
            $impact = 'suspicious nameserver';
            $description = $impact.' '.$type.' - '.$ddd;
            $severity = 'low';
        }
        if($rr->{'cname'}){
            $ddd = $rr->{'cname'};
            $description = 'malicious domain '.$type.' - '.$ddd;
        }
        my $u = CIF::Message::Domain->insert({
            relatedid   => $uuid,
            address     => $ddd,
            source      => $partner,
            confidence  => 5,
            severity    => $severity,
            impact      => $impact,
            description => $description,
            detecttime  => $date,
            class       => $rr->{'class'},
            ttl         => $rr->{'ttl'},
            type        => $rr->{'type'},
            rdata       => $rr->{'address'},
            asn         => $as,
            asn_desc    => $as_desc,
            cidr        => $network,
            cc          => $ccode,
            rir         => $rir,
            restriction => 'need-to-know',
            alternativeid  => 'http://www.malwaredomains.com/files/domains.txt',
            alternativeid_restriction => 'public',
        });
        warn $u;
        unless($rr->{'type'} eq 'CNAME' || !$address || $address !~ /^$RE{net}{IPv4}/){
            CIF::Message::Infrastructure->insert({
                relatedid   => $u->uuid(),
                address     => $rr->{'address'},
                impact      => 'malware infrastructure '.$type,
                source      => $partner,
                description => 'malware infrastructure '.$type.' - '.$rr->{'address'},
                confidence  => 2,
                severity    => $severity,
                detecttime  => $date,
                restriction => 'need-to-know',
                asn         => $as,
                asn_desc    => $as_desc,
                cc          => $ccode,
                cidr        => $network,
                rir         => $rir,
                alternativeid  => 'http://www.malwaredomains.com/files/domains.txt',
                alternativeid_restriction => 'public',
            });
        }
    }
}

close(F);
